String#escapeHTML escapes HTML.  Double quotes, single quotes, and
newlines are all valid in HTML, so IMHO it's out of scope for
escapeHTML to escape them.  FWIW, I'd say the requirement you're
describing is specific enough to you that you should probably just add
it at your end.  For instance, if your JSON strings are delimited with
double quotes, there's no need to escape single quotes (and vice

> The example in the documentation of escapeHTML also contains this
> error, but no warning about this behaviour.

The example in the docs is:

'<div class="article">This is an article</div>'.escapeHTML();
// -> "&lt;div class="article"&gt;This is an article&lt;/div&gt;"

I can see why you're thinking of that as an error, if you think of the
entire thing after the "// ->" as being a JavaScript string literal,
but it isn't -- it's just documentation.  The quotes are to indicate
the value is a string, not that the whole thing is a string literal.
Other places will say things like "// -> Alerts 'Hi there'" which is
also not valid JavaScript.  I wouldn't say it's clear, though, and
FWIW I agree we should change it -- probably to an example that
doesn't use double quotes.

If you create a lighthouse ticket, feel free to assign it to me.  I'd
probably add something like this to the docs:

"Note that escapeHTML escapes HTML tags.  If you're going to include
the result in a string literal, you may also need to escape double
quotes, single quotes, and newlines.  String#gsub may be useful for
doing that."

T.J. Crowder
tj / crowder software / com
Independent Software Engineer, consulting services available

On Jun 24, 9:39 am, Szymon Wilkołazki <wilkola...@gmail.com> wrote:
> Hi,
> I just tried to put a json object inside an attribute an I bumped into
> an issue with String#escapeHTML().
> The method does escape all the ampersands and the greater/less than
> signs, but it does nothing to the quots.
> This make the method completely unusable for writing attributes (for
> innerHTML use).
> Lets get through an example:
> var eventMemo = {
>     aLabel: 'some String with "quotes", \'apostrophes\'...',
>     otherLabel: 'another String with &ampersands and <tags>'};
> //I want this object inside an html attribute, so lets
> //make it JSON and escape it:
> var attr = Object.toJSON(eventMemo).escapeHTML();
> var link = '<a href="javascript:;" class="fireCustomEvent"'+
>   ' data-eventMemo="' + attr + '" > '+
>   ' this link is supposed to fire custom event with memo '+
>   ' read from data-eventMemo attribute '+
>   '</a>';
> //lets see what this link looks like in Firebug:
> console.log(link);
> The output is:
> <a href="javascript:;" class="fireCustomEvent"
> data-eventMemo="{"aLabel": "some String with \"quotes\",
> 'apostrophs'...", "otherLabel": "another String with &amp;ampersands
> and &lt;tags&gt;"}" >this link is supposed to fire custom event with
> memo read from data-eventMemo attribute</a>
> As you can see, the output is completely broken, as the " are not
> converted to &quot; and ' to &#39;
> One have to append another replaces to properly escape the string:
> var attr =
> Object.toJSON(eventMemo).escapeHTML().gsub(/"/,'&quot;').gsub(/'/,'&#39;');
> The example in the documentation of escapeHTML also contains this
> error, but no warning about this behaviour.
> 1. A note should be added to the docs about this issue, and an example
>   how to properly escape string for use inside attributes;
> 2. A parameter could be added tho this method which would escape
> quotes automaticly.
> Or a separate function could be introduced, eg. escapeHTMLquots()
> which would do the same unconditionally.
> 3. Current behaviour of method can not be changed, as this would
> create backward incompatibility.
> I will place an issue about the docs, and I would like to hear your
> opinion about the method modifications.
> Best Regards,
> SWilk
You received this message because you are subscribed to the Google Groups 
"Prototype & script.aculo.us" group.
To post to this group, send email to prototype-scriptaculous@googlegroups.com
To unsubscribe from this group, send email to 
For more options, visit this group at 

Reply via email to